Uncomplicated Firewall

From KevinWiki

Jump to: navigation, search

Contents

Installation

$ sudo apt-get install ufw 
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  ucf
The following NEW packages will be installed:
  ucf ufw
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 84.7kB of archives.
After this operation, 463kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB]
Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB]
Fetched 84.7kB in 1s (77.8kB/s)
Preconfiguring packages ...
Selecting previously deselected package ucf.
(Reading database ... 12638 files and directories currently installed.)
Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ...
Moving old data out of the way
Selecting previously deselected package ufw.
Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ...
Setting up ucf (3.005) ...

Setting up ufw (0.16.2.3) ...

Creating config file /etc/ufw/before.rules with new version

Creating config file /etc/ufw/before6.rules with new version

Creating config file /etc/ufw/after.rules with new version

Creating config file /etc/ufw/after6.rules with new version

How to Use UFW

Check the status

$ sudo ufw status 
Status: inactive


Start the firewall

$ sudo ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

-Check the status

$ sudo ufw status 
Status: active


Set default action to deny all the accesses

$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)


Allow access to port 22 from the specific IP through tcp protocol.

$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> 
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1


Allow access for Web

-Allow access to port 80 (web) from anywhere

$ sudo ufw allow 80/tcp 
Rule added

-Allow access to port 443 (ssl) from anywhere

$ sudo ufw allow 443/tcp 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


Allow access to port 22 from the specific IP and web access from anywhere

-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.

$ sudo ufw enable 
Firewall started and enabled on system startup
$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added
$ sudo ufw allow 80/tcp 
Rule added
$ sudo ufw allow 443/tcp 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


Allow access to port 22 from a range of IP addresses except some

-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10

$ sudo ufw deny from 192.168.0.5 to any port 22 
$ sudo ufw deny from 192.168.0.10 to any port 22 
$ sudo ufw allow from 192.168.0.0/24 to any port 22 
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.5
22:udp                     DENY    192.168.0.5
22:tcp                     DENY    192.168.0.10
22:udp                     DENY    192.168.0.10
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24


Allow access to Samba from a range of IP addresses

-Allowing access to Samba from all IPs of 192.168.0.x

sudo ufw allow from 192.168.0.0/24 to any app Samba

-Allowing access to Samba from all the IPs of 192.168.X.X

sudo ufw allow from 192.168.0.0/16 to any app Samba

-Allowing access to all the IPs of 192.168.X.X from Samba

sudo ufw allow from any app Samba to 192.168.0.0/24

Delete Rule

  • To delete the rule allow 8080/tcp
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   Anywhere
$ sudo ufw delete allow 8080/tcp 
  • Result
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


  • Or to delete the rule allow 8080/tcp from 192.168.0.100.
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   192.168.0.100
$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp
  • Result
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
Personal tools